Technical Update

September 10, 2003: The following changes were made to this
article:

Updated the "Security Patch Replacement Information"
sections to indicate that this patch has been replaced by 824146 (MS03-039).
For more information about the 824146 security patch (MS03-039), click the following article number to view the article in the Microsoft Knowledge Base:

MS03-039: A buffer overrun in RPCSS could allow an attacker to run malicious programs

Updated the "Installation Information" sections to
indicate that Microsoft has released a tool that network administrators can use
to scan a network and to identify host computers that do not have the 823980
(MS03-026) and the 824146 (MS03-039) security patches installed.
For additional
information about this tool, click the following article number to view the
article in the Microsoft Knowledge Base:

August 19, 2003: Updated the "More Information" section to
include a reference to Microsoft Knowledge Base article 826234. This article
contains information about the Nachi worm virus that tries to exploit the
vulnerability that is fixed by this security patch.

Updated the "More Information" section to include a
reference to Microsoft Knowledge Base article 826955. This article contains
information about the Blaster worm virus that tries to exploit the
vulnerability that is fixed by this security patch.

Updated the "Installation Information" section to
indicate that Microsoft has released a tool that network administrators can use
to scan a network for systems that do not have this security patch installed.

If you are a Small Business customer, find additional troubleshooting and learning resources at the Support for Small Business site.

Microsoft originally released this bulletin and patch on
July 16, 2003, to correct a security vulnerability in a Windows Distributed
Component Object Model (DCOM) Remote Procedure Call (RPC) interface. The patch
was and still is effective in eliminating the security vulnerability. However,
the "mitigating factors" and "workarounds" discussions in the original security
bulletin did not clearly identify all the ports by which the vulnerability
could potentially be exploited. Microsoft has updated this bulletin to more
clearly enumerate the ports over which RPC services can be invoked and to make
sure that customers who choose to implement a workaround before installing the
patch have the information that they must have to protect their systems.
Customers who have already installed the patch are protected from attempts to
exploit this vulnerability and do not have to take further action.

Remote Procedure Call (RPC) is a protocol that is used by the Windows operating
system. RPC provides an inter-process communication mechanism that allows a
program that is running on one computer to seamlessly run code on a remote
computer. The protocol itself is derived from the Open Software Foundation
(OSF) RPC protocol. The RPC protocol that is used by Windows includes some
additional Microsoft-specific extensions.

There is a vulnerability
in the part of RPC that deals with message exchange over TCP/IP. The failure
results because of incorrect handling of malformed messages. This particular
vulnerability affects a Distributed Component Object Model (DCOM) interface
with RPC, which listens on RPC-enabled ports. This interface handles DCOM
object activation requests that are sent by client machines (for example,
Universal Naming Convention [UNC] path requests) to the server. An attacker who
successfully exploited this vulnerability would be able to run code with Local
System privileges on an affected system. The attacker would be able to take any
action on the system, including installing programs, viewing data, changing
data, deleting data, or creating new accounts with full privileges.

To exploit this vulnerability, an attacker would have to send a specially
formed request to the remote computer on specific RPC ports.

Mitigating Factors

To exploit this vulnerability, the attacker must be able to
send a specially crafted request to port 135, port 139, port 445, or any other
specifically configured RPC port on the remote computer. For intranet
environments, these ports are typically accessible, but for Internet-connected
computers, these ports are typically blocked by a firewall. If these ports are
not blocked, or in an intranet environment, the attacker does not have to have
any additional privileges.

Best practice recommendations include blocking all TCP/IP
ports that are not actually being used. By default, most firewalls, including
the Windows Internet Connection Firewall (ICF), block those ports. For this
reason, most computers that are attached to the Internet should have RPC over
TCP or UDP blocked. RPC over UDP or TCP is not intended to be used in hostile
environments, such as the Internet. More robust protocols, such as RPC over
HTTP, are provided for hostile environments.

Microsoft scanned this file for viruses. Microsoft used the most
current virus-detection software that was available on the date that the file
was posted. The file is stored on security-enhanced servers that help to
prevent any unauthorized changes to the file.

Prerequisites

This security patch requires the released version of Windows
Server 2003.

Installation Information

This security patch supports the following Setup switches:

/? : Display the list of installation switches.

/u : Use Unattended mode.

/f : Force other programs to quit when the computer shuts down.

/n : Do not back up files for removal.

/o : Overwrite OEM files without prompting.

/z : Do not restart when installation is complete.

/q : Use Quiet mode (no user interaction).

/l : List installed hotfixes.

/x : Extract the files without running Setup.

Microsoft has released a tool that network administrators can
use to scan a network for the presence of systems that do not have this
security patch installed.
For additional
information about this tool, click the following article number to view the
article in the Microsoft Knowledge Base:

How to Use the KB 824146 Scanning Tool to Identify Host Computers That Do Not Have the 823980 (MS03-026) and the 824146 (MS03-039) Security Patches Installed

You can also verify that the security patch is
installed on your computer by using Microsoft Baseline Security Analyzer
(MBSA), by comparing the file versions on your computer to the list of files in
the "File Information" section of this article, or by confirming that the
following registry key exists:

Restart Requirement

You must restart your computer after you apply this security
patch.

Removal Information

To remove this security patch, use the Add or Remove Programs tool
in Control Panel.

System administrators can use the Spuninst.exe
utility to remove this security patch. The Spuninst.exe utility is located in
the %Windir%\$NTUninstallKB823980$\Spuninst folder. The utility supports the
following Setup switches:

/? : Display the list of installation switches.

/u : Use unattended mode.

/f : Force other programs to quit when the computer shuts down.

/z : Do not restart when installation is complete.

/q : Use Quiet mode (no user interaction).

Security Patch Replacement Information

For Windows Server 2003-based computers, this security patch does
not replace any other security patches.

This security patch is
replaced by 824146 (MS03-039).
For more information
about the 824146 security patch (MS03-039), click the following article number to view the article in the Microsoft Knowledge Base:

MS03-039: A buffer overrun in RPCSS could allow an attacker to run malicious programs

File Information

The English version of this
fix has the file attributes (or later) that are listed in the following table.
The dates and times for these files are listed in coordinated universal time
(UTC). When you view the file information, it is converted to local time. To
find the difference between UTC and local time, use the Time
Zone tab in the Date and Time tool in Control Panel.

Note When you install this security patch on a computer that is
running Windows Server 2003 or a Windows XP 64-Bit Edition Version 2003, the
installer checks to see if any of the files that are being updated on your
computer have previously been updated by a Microsoft hotfix. If you previously
installed a hotfix to update one of these files, the installer copies the
hotfix files to your computer. Otherwise, the installer copies the GDR files to
your computer.
For additional
information, click the following article number to view the article in the
Microsoft Knowledge Base:

Microsoft scanned this file for viruses. Microsoft used the most
current virus-detection software that was available on the date that the file
was posted. The file is stored on security-enhanced servers that help to
prevent any unauthorized changes to the file.

Prerequisites

This security patch requires the released version of Windows XP or
Windows XP Service Pack 1 (SP1). For additional
information, click the following article number to view the article in the
Microsoft Knowledge Base:

Microsoft has released a tool that network administrators can
use to scan a network for the presence of systems that do not have this
security patch installed.
For additional
information about this tool, click the following article number to view the
article in the Microsoft Knowledge Base:

How to Use the KB 824146 Scanning Tool to Identify Host Computers That Do Not Have the 823980 (MS03-026) and the 824146 (MS03-039) Security Patches Installed

You can also verify that the security patch is
installed on your computer by using Microsoft Baseline Security Analyzer
(MBSA), by comparing the file versions on your computer to the list of files in
the "File Information" section of this article, or by confirming that the
following registry key exists:

Windows XP:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB823980

Windows XP with Service Pack 1 (SP1):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB823980

For additional
information about Microsoft Baseline Security Analyzer (MBSA), click the
following article number to view the article in the Microsoft Knowledge Base:

Restart Requirement

You must restart your computer after you apply this security
patch.

Removal Information

To remove this security patch, use the Add or Remove Programs tool
in Control Panel.

System administrators can use the Spuninst.exe
utility to remove this security patch. The Spuninst.exe utility is located in
the %Windir%\$NTUninstallKB823980$\Spuninst folder. The utility supports the
following Setup switches:

MS03-039: A buffer overrun in RPCSS could allow an attacker to run malicious programs

File Information

The English version of this
fix has the file attributes (or later) that are listed in the following table.
The dates and times for these files are listed in coordinated universal time
(UTC). When you view the file information, it is converted to local time. To
find the difference between UTC and local time, use the Time
Zone tab in the Date and Time tool in Control Panel.

Note The Windows XP versions of this patch are packaged as dual-mode
packages.
For additional information about dual-mode
packages, click the following article number to view the article in the
Microsoft Knowledge Base:

Microsoft scanned this file for viruses. Microsoft used the most
current virus-detection software that was available on the date that the file
was posted. The file is stored on security-enhanced servers that help to
prevent any unauthorized changes to the file.

Note This patch is not supported on Windows 2000 Datacenter Server.
For information about how to obtain a security patch for Windows 2000
Datacenter Server, contact your participating OEM vendor.
For
additional information about Windows 2000 Datacenter Server, click the
following article number to view the article in the Microsoft Knowledge Base:

Microsoft has released a tool that you can use to scan a
network for the presence of systems that do not have this security patch
installed.
For additional
information about this tool, click the following article number to view the
article in the Microsoft Knowledge Base:

How to Use the KB 824146 Scanning Tool to Identify Host Computers That Do Not Have the 823980 (MS03-026) and the 824146 (MS03-039) Security Patches Installed

You can also verify that the security patch is
installed on your computer by using Microsoft Baseline Security Analyzer
(MBSA), by comparing the file versions on your computer to the list of files in
the "File Information" section of this article, or by confirming that the
following registry key exists:

Restart Requirement

You must restart your computer after you apply this security
patch.

Removal Information

To remove this security patch, use the Add or Remove Programs tool
in Control Panel.

System administrators can use the Spuninst.exe
utility to remove this security patch. The Spuninst.exe utility is located in
the %Windir%\$NTUninstallKB823980$\Spuninst folder. The utility supports the
following Setup switches:

MS03-039: A buffer overrun in RPCSS could allow an attacker to run malicious programs

File Information

The English version of this
fix has the file attributes (or later) that are listed in the following table.
The dates and times for these files are listed in coordinated universal time
(UTC). When you view the file information, it is converted to local time. To
find the difference between UTC and local time, use the Time
Zone tab in the Date and Time tool in Control Panel.

A supported
hotfix is now available from Microsoft, but it is only intended to correct the
problem that this article describes. Apply it only to systems that are
experiencing this specific problem.

To resolve this problem, contact
Microsoft Product Support Services to obtain the hotfix. For a complete list of
Microsoft Product Support Services telephone numbers and information about
support costs, visit the following Microsoft Web site:

Note In special cases, charges that are ordinarily incurred for
support calls may be canceled if a Microsoft Support Professional determines
that a specific update will resolve your problem. The usual support costs will
apply to additional support questions and issues that do not qualify for the
specific update in question.

Windows NT 4.0 (All Versions)

Download Information

The
following files are available for download from the Microsoft Download Center:

Microsoft scanned this file for viruses. Microsoft used the most
current virus-detection software that was available on the date that the file
was posted. The file is stored on security-enhanced servers that help to
prevent any unauthorized changes to the file.

Prerequisites

Note This security patch will install on Windows NT 4.0 Workstation.
However, Microsoft no longer supports this version, according to the Microsoft
Lifecycle Support policy. Additionally, this security patch has not been tested
on Windows NT 4.0 Workstation. For information about the Microsoft Lifecycle
Support policy, visit the following Microsoft Web site:

/q : Use Quiet or Unattended mode with no user interface (this
switch is a superset of /m ).

/m : Use Unattended mode with user interface.

/l : List installed hotfixes.

/x : Extract the files without running Setup.

Microsoft has released a tool that you can use to scan a
network for the presence of systems which do not have this security patch
installed.
For additional
information about this tool, click the following article number to view the
article in the Microsoft Knowledge Base:

How to Use the KB 824146 Scanning Tool to Identify Host Computers That Do Not Have the 823980 (MS03-026) and the 824146 (MS03-039) Security Patches Installed

You can also verify that the security patch is
installed on your computer by using Microsoft Baseline Security Analyzer
(MBSA), by comparing the file versions on your computer to the list of files in
the "File Information" section of this article, or by confirming that the
following registry key exists:

Restart Requirement

You must restart your computer after you apply this security
patch.

Removal Information

To remove this security patch, use the Add or Remove Programs tool
in Control Panel.

System administrators can use the Spuninst.exe
utility to remove this security patch. The Spuninst.exe utility is located in
the %Windir%\$NTUninstallKB823980$\Spuninst folder. The utility supports the
following Setup switches:

/? : Display the list of installation switches.

/u : Use unattended mode.

/f : Force other programs to quit when the computer shuts down.

/z : Do not restart when installation is complete.

/q : Use Quiet mode (no user interaction).

Security Patch Replacement Information

For Windows NT 4.0-based computers, this security patch replaces
the security patch that is provided with Microsoft Security Bulletin
MS01-048.

This patch is replaced by 824146 (MS03-039).
For more information
about the 824146 security patch (MS03-039), click the following article number to view the article in the Microsoft Knowledge Base:

MS03-039: A buffer overrun in RPCSS could allow an attacker to run malicious programs

File Information

The English version of this
fix has the file attributes (or later) that are listed in the following table.
The dates and times for these files are listed in coordinated universal time
(UTC). When you view the file information, it is converted to local time. To
find the difference between UTC and local time, use the Time
Zone tab in the Date and Time tool in Control Panel.

Although Microsoft urges all customers to apply the security
patch at the earliest possible opportunity, there are several workarounds that
you can use in the interim to help prevent the vector that is used to exploit
this vulnerability.

These workarounds are temporary measures. They
only help to block the paths of attack. They do not correct the underlying
vulnerability.

The following sections provide information that you
can use to help protect your computer from attack. Each section describes the
workarounds that you can use, depending on your computer’s configuration and
depending on the level of functionality that you require.

Block UDP ports 135, 137, 138, and 445 and TCP ports 135, 139, 445, and 593 at your firewall, and disable COM Internet Services (CIS) and RPC over HTTP, which listen on ports 80 and 443, on the affected machines.These ports are used to initiate an RPC connection with a remote
computer. Blocking these ports at the firewall will help prevent systems behind
that firewall from being attacked by attempts to exploit these vulnerabilities.
You should also block any other specifically configured RPC port on the remote
machine.

If enabled, CIS and RPC over HTTP allow DCOM calls to
operate over TCP ports 80 (and port 443 on Windows XP and Windows Server 2003).
Make sure that CIS and RPC over HTTP are disabled on all the affected machines.
For additional information about how to disable CIS, click
the following article number to view the article in the Microsoft Knowledge
Base:

Additionally, customers may have configured services or protocols
that use RPC that may also be accessible from the Internet. Systems
administrators are strongly encouraged to examine RPC ports that are exposed to
the Internet and to either block these ports at their firewall or to apply the
patch immediately.

Use Internet Connection Firewall and disable COM Internet Services (CIS) and RPC over HTTP, which listen on ports 80 and 443, on the affected machines. If you are using the Internet Connection Firewall feature in
Windows XP or in Windows Server 2003 to help to protect your Internet
connection, it will by default block inbound RPC traffic from the Internet.
Make sure that CIS and RPC over HTTP are disabled on all affected machines.
For additional information about how to disable CIS, click
the following article number to view the article in the Microsoft Knowledge
Base:

Block the affected ports by using an IPSEC filter and disable COM Internet Services (CIS) and RPC over HTTP, which listen on ports 80 and 443, on the affected machinesYou can secure network communications on Windows 2000-based
computers if you use Internet Protocol Security (IPSec).
For
additional information about IPSec and how to apply filters, click the
following article numbers to view the articles in the Microsoft Knowledge Base:

Make sure that CIS and RPC over HTTP are disabled on
all affected machines. For additional information about how to disable CIS, click
the following article number to view the article in the Microsoft Knowledge
Base:

How to Remove COM Internet Services (CIS) and RPC over HTTP Proxy Support

Disable DCOM on all affected computers: When a computer is part of a network, the DCOM wire protocol
enables COM objects on that computer to communicate with COM objects on other
computers.

You can disable DCOM for a particular computer to help
protect against this vulnerability, but doing so disables all communication
between objects on that computer and objects on other computers. If you disable
DCOM on a remote computer, you then cannot remotely access that computer to
re-enable DCOM. To re-enable DCOM, you must have physical access to that
computer.
For additional information about
how to disable DCOM, click the following article number to view the article in
the Microsoft Knowledge Base:

Note For Windows 2000, the methods described in Microsoft Knowledge
Base article 825750 to disable DCOM will only work on computers that are
running Windows 2000 Service Pack 3 or later. Customers using Service Pack 2 or
earlier should upgrade to a later service pack or use one of the other
workarounds.

For
additional information about the Blaster worm virus that tries to exploit the
vulnerability that is fixed by this security patch, click the following article
number to view the article in the Microsoft Knowledge Base:

For additional information about the Nachi worm virus that
tries to exploit the vulnerability that is fixed by this security patch, click
the following article number to view the article in the Microsoft Knowledge
Base: